Wednesday, September 5, 2018

domain name system - Secondary Nameserver DNSSEC



I have this hidden master DNS nameserver notifying and updating the two public slave DNS servers:





  • my own VPS running Debian/Bind9 DNS

  • 3rd-party secondary nameserver provider (afraid.org)



I finally got DNSSEC working with the hidden master and my public slave server (VPS).



Now I am searching high and low for a secondary nameserver service provider that can ALSO support DNSSEC. I couldn't find one. I couldn't understand why.



Then I saw this clue on GoDaddy Secondary NameServer wiki:





  • "You cannot use both DNSSEC and Secondary DNS with the same domain name."



Why can't a 3rd party provide asecondary name server with DNSSEC?


Answer



As has been noted, the quoted statement is one service provider noting a limitation in their own service, it's not a universal truth.



All that is really needed to make what you ask for work is this:





  • Slave nameserver gets an exact copy of the full zone data (including public keys, signatures, everything) such as what happens with a normal zone transfer (AXFR/IXFR), and simply uses the received zone data verbatim, no mucking about with the data.

  • Slave nameserver software supports DNSSEC. Ie, supports EDNS0, knows to act on the DNSSEC-relevant flags in the header/EDNS0 fields (such as returning relevant RRSIG/NSEC in responses to queries that request DNSSEC).



As for why the service provider referenced in the question cannot do this, you will really need to direct the question to them to get a proper answer.
Maybe they are using some custom or outdated nameserver software that cannot meet the above requirements? Maybe it's some kind of policy decision that is not even purely technical?



If you look at service providers that have more of a focus on DNS hosting, my impression is that requirements like the above are usually a non-issue (provided they have a slave nameserver option in the first place).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...